Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.3.0.Final
Affects Version/s: 1.2.4.Final
Component/s: None
Labels:
None

Steps to Reproduce:

Hide

1) Deploy attached deployment do application server
2) Access http://localhost:8080/WildflyConfigXmlReproducerServlet/servlet -> it will fail with Exception mentioned in Jira description
3) Uncomment permission in META-INF/permissions.xml in attached deployment and redeploy
4) Access http://localhost:8080/WildflyConfigXmlReproducerServlet/servlet -> Exception is not thrown

Show
1) Deploy attached deployment do application server 2) Access http://localhost:8080/WildflyConfigXmlReproducerServlet/servlet -> it will fail with Exception mentioned in Jira description 3) Uncomment permission in META-INF/permissions.xml in attached deployment and redeploy 4) Access http://localhost:8080/WildflyConfigXmlReproducerServlet/servlet -> Exception is not thrown
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1119

There is a difference between required Permission for ElytronXmlParser.parseAuthenticationClientConfiguration() method in version 1.1.7.Final (JBoss EAP 7.1.0.GA) and 1.2.4.Final (JBoss EAP 7.2.0.CD12.CR1) when runs with Security Manager. Version 1.2.4.Final newly requires Permission java.security.SecurityPermission putProviderProperty.WildFlyElytron. It fails with following Exception:

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/WildflyConfigXmlReproducerServlet.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.WildflyConfigXmlReproducerServlet.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$static$0(ElytronXmlParser.java:131)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2826)
	at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:116)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$49(ElytronXmlParser.java:2252)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$31(ElytronXmlParser.java:1065)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$27(ElytronXmlParser.java:1042)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$38(ElytronXmlParser.java:1108)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:836)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$27(ElytronXmlParser.java:1042)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$26(ElytronXmlParser.java:884)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$11(ElytronXmlParser.java:716)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$12(ElytronXmlParser.java:742)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:351)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:227)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:188)
	at com.redhat.eap.qe.elytron.authnctx.WildflyConfigXmlReproducerServlet.parseAndCreateAuthenticationClientConfiguration(WildflyConfigXmlReproducerServlet.java:51)
	at com.redhat.eap.qe.elytron.authnctx.WildflyConfigXmlReproducerServlet.doGet(WildflyConfigXmlReproducerServlet.java:44)
	...

In case this change is expected then Release Notes Jira should be created.

The same Permission is needed when authentication context is obtained from server configuration (through default-authentication-context in elytron subsystem):

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:420)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

or when authentication context is created programatically:

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/programatically-set-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.programatically-set-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:420)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

WildflyConfigXmlReproducerServlet.war
5 kB
2018/03/27 4:52 AM

is duplicated by

ELY-1558 WildFlyElytronProvider is not initialized with appropriate privileges

Closed

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates